Hey All,

Just installed SuSE 9.2 on a machine that is going to be my web server/email server system. In locking the box down, I noticed that TCP:21 is responding to a port scan. I don't have any FTP service active in inet or any type of FTP server running period!!! I'm trying to track down where it's coming from, but SuSE is just a little bit different from your standard Red Hat system.

TIA,

Welcome to Linuxquestions.

As root try running: netstat -pantu

Also run (if installed): lsof -i

Just got back to the server. After running a "netstat -pantu", I got the following results:

hyrule:/etc/sysconfig/network # netstat -pantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3912/portmap
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 4103/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4341/master
tcp 0 0 66.231.105.161:1198 131.159.72.23:21 ESTABLISHED 9097/y2base
tcp 0 0 :::80 :::* LISTEN 8783/httpd2-prefork
tcp 0 0 :::22 :::* LISTEN 4028/sshd
tcp 0 0 ::1:25 :::* LISTEN 4341/master
udp 0 0 0.0.0.0:68 0.0.0.0:* 6113/dhcpcd
udp 0 0 0.0.0.0:111 0.0.0.0:* 3912/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 4103/cupsd

That shows me the y2base app is the only one baring port 21. After killing "watcher" (the SuSE update utility, I got the following:

hyrule:/etc/sysconfig/network # netstat -pantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3912/portmap
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 13084/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4341/master
tcp 0 0 :::80 :::* LISTEN 8783/httpd2-prefork
tcp 0 0 :::22 :::* LISTEN 4028/sshd
tcp 0 0 ::1:25 :::* LISTEN 4341/master
udp 0 0 0.0.0.0:68 0.0.0.0:* 6113/dhcpcd
udp 0 0 0.0.0.0:111 0.0.0.0:* 3912/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 13084/cupsd


This is all fine and dandy. But I'm still showing port 21 as listening. Grrrrrrrrrr!!!!!!!

What does the lsof -i command show? Is there anything between the SuSE box and the system you're scanning from (router, switch, other hosts, internet)? Also when you say it port 21 "responds" , do you mean it's shown as "open" or as "closed" while most other ports are in the "filtered" state?

try this

telnet 127.0.0.1 21

Here is a snipit of mine...

[ftp not running]
jbutler@www:~> telnet 127.0.0.1 21
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
jbutler@www:~>

[ftp running]
jbutler@www:/etc> telnet 127.0.0.1 21
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
220 ProFTPD 1.2.10 Server (FTP Server) [127.0.0.1]


See what kind of response you get back from telneting to that port and report back

Hmm... looking back over what you pasted I do not see where port 21 is set to Listen
Maybe I'm over looking it, but i'll have to look again... I bet Capt is on the right track, your bouncing filtered or closed

Yeah, I completely agree with you guys. Nothing on my box seems to be listening on port 21.

In an extreme act of frustration, I reinstalled SuSE 9.2 as the server wasn't in any super configuration anyhow. Aftrer just a basic install, here is the same information:

linux:/etc/sysconfig/network # netstat -pantu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 4218/portmap
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN 4381/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4511/master
tcp 0 0 66.231.105.161:1090 64.233.167.99:80 TIME_WAIT -
tcp 0 0 66.231.105.161:1078 64.233.167.99:80 TIME_WAIT -
tcp 0 0 66.231.105.161:1079 64.233.167.99:80 TIME_WAIT -
tcp 0 0 66.231.105.161:1080 64.179.4.149:80 TIME_WAIT -
tcp 0 0 :::22 :::* LISTEN 4288/sshd
tcp 0 0 ::1:25 :::* LISTEN 4511/master
udp 0 0 0.0.0.0:111 0.0.0.0:* 4218/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 4381/cupsd
linux:/etc/sysconfig/network # lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
portmap 4218 nobody 3u IPv4 7192 UDP *:sunrpc
portmap 4218 nobody 4u IPv4 7193 TCP *:sunrpc (LISTEN)
sshd 4288 root 3u IPv6 7327 TCP *:ssh (LISTEN)
cupsd 4381 lp 0u IPv4 8660 TCP *:ipp (LISTEN)
cupsd 4381 lp 2u IPv4 8661 UDP *:ipp
master 4511 root 12u IPv4 8558 TCP localhost:smtp (LISTEN)
master 4511 root 13u IPv6 8559 TCP localhost:smtp (LISTEN)
linux:/etc/sysconfig/network # telnet 127.0.0.1 21
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused

Here is what I get from an outside IP:

C:\telent 66.231.105.161 21
Connecting To 66.231.105.161...Could not open connection to the host, on port 21: Connection failed

Even with that, a port scan still shows 21 as responding!

When I see "Connection failed", that would either tell me that SuSEfirewall2 is blocking the port, and/or that the server isn't listening on that port. I know that I'm using the default firewall, so I went ahead and added a tunnel through for FTP (tcp: 21 - in the SuSEfirewall2 config). Then got this....

linux:/etc/sysconfig/network # telnet 127.0.0.1 21
Trying 127.0.0.1...
telnet: connect to address 127.0.0.1: Connection refused
linux:/etc/sysconfig/network #

C:\telent 66.231.105.161 21
Connecting To 66.231.105.161...Could not open connection to the host, on port 21: Connection failed

EVERY INDICATION on the server tells me that there isn't anything listening to port 21. But a port scan tells me otherwise. Did this from 3 seperate IP systems with the same results.

just trying something different.....

When I went to http://probe.hackerwatch.org/probe/probe.asp , It gave me this:

Closed but Unsecure
21 (FTP)

This port is not being blocked, but there is no program currently accepting connections on this port.

So how in SuSEFirewall2 do I block incoming ports on my "internet" interface? If this keeps up, I might give up and go to Mandrake or Fedora! SuSE can be nice, but also a pain!!!

First Off I dont care for SuSE Firewall... I use my own script using iptables.... here I'll post it for you and give a little explination....


#!/bin/bash

echo "Start Firewall"

/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -F INPUT
/usr/sbin/iptables -P OUTPUT ACCEPT
/usr/sbin/iptables -F OUTPUT
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -F FORWARD
/usr/sbin/iptables -t nat -F

/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 21 -i eth0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 22 -i eth0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 25 -i eth0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p udp --dport 53 -i eth0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 80 -i eth0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 110 -i eth0 -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport 143 -i eth0 -j ACCEPT

/usr/sbin/iptables -A INPUT -p icmp --icmp-type 0 -i eth0 -j ACCEPT #echo reply
/usr/sbin/iptables -A INPUT -p icmp --icmp-type 3 -i eth0 -j ACCEPT #destination
/usr/sbin/iptables -A INPUT -p icmp --icmp-type 11 -i eth0 -j ACCEPT #time exceeded

echo "Firewall Started"

echo "Setting time from Atomic Clock Server"
/usr/sbin/ntpdate time.windows.com

first thing it will flush any existing config.... then I tell it to only accept incomming connections on the following ports.... 21 22 25 53 80 110 143, You can change those to meet your needs.... if their are too many lines just delete some.....

I also threw in there to update the system time to time.windows.com every time the system boots..... which isnt often......

Save this to a file, you'll have to chmod +x call it rc.firewall or whatever, save it to /user/sbin

Then open up /etc/init.d/boot.localnet and paste it in there... Here is a snipit of my boot.localnet

### BEGIN INIT INFO
# Provides: boot.localnet
# Required-Start: boot.ldconfig
# X-UnitedLinux-Should-Start: boot.quota
# Required-Stop:
# Default-Start: B
# Default-Stop:
# Description: setup hostname and yp and do cleanup
### END INIT INFO
. /usr/sbin/rc.firewall
. /etc/rc.status
. /etc/sysconfig/cron




cheers

Ok, I'm going to have a long talk with my ISP......

I turned the server completely OFF!! And I still have port 21 responding!

I think I can stop chasing my tail now.

Thanks a bunch for the advice guys!!

Are you sure that your dsl modem isn't causing this? I had a cisco 678 dsl modem that would do something similiar it had management ports that would mess up port scans. If your server isn't listening on port 21 who cares anyway.

nope.

Modem is an Efficient Networks 5100 bridged modem. There isn't any type of IP activity that can occur there.